Nation's two biggest public pensions funds, both in California, hit by massive cybersecurity breach
Personal information for retirees of the state, public agencies, school districts and retirees of the Judges’ Retirement System and Legislators’ Retirement System was accessed.
The country's two biggest public pension funds have been hit by a massive cybersecurity breach, allowing "criminals" to download such data as names, birthdates and Social Security numbers.
The breach earlier this month impacted as many as 769,000 retirees in CalPERS, the California Public Employees' Retirement System, which is the nation's largest public pension fund. It serves over 2 million members in its retirement system and over 1.5 million in its health program.
Also hit in apparently the same data intrusion effort was CalSTRS, the California State Teachers' Retirement System. CalSTRS is the second-largest public pension fund in the U.S. and the largest teachers' retirement system. It serves more than 947,000 members and says 415,000 of its members and beneficiaries were impacted by the breach.
The Center Square also reports personal information for retirees of the state, public agencies, school districts and retirees of the Judges’ Retirement System and Legislators’ Retirement System was accessed when a transfer application was compromised on June 6.
CalPERS announced the breach June 21.
The MOVEit Transfer Application that was compromised encrypts data and is used by CalPERS to facilitate accuracy in payments to retirees and beneficiaries and prevent instances of overpayments or other errors.
The MOVEit Transfer services is provided to CalPERS by PBI Research Service, which also verifies benefit information.
The MOVEit Transfer app is used by thousands of organizations worldwide that were also impacted by the breach.
PBI says it identified the vulnerability in late May and has since resolved it.
PBI said in a statement that it identified the vulnerability at the end of May and that it was "actively being exploited by cyber criminals."
"PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement and contacted potentially impacted clients," the company also said.
CalPERS’ information systems were not affected by the breach. Still, CalPERS has implemented new security protocols for its website, call centers and offices. Monthly pension payments will continue in accordance with member preferences.
CalPERS has partnered with Experian to offer a two-year credit monitoring and identity restoration service to members whose information was stolen. Impacted members were sent a letter detailing instructions on how to access the services.
Additionally, CalPERS advises its members to regularly review and monitor their accounts and credit history for signs of unauthorized transactions or activity and contact local police if they suspect fraud or identity theft.
Additional information on recovering from identity theft can be accessed at FTC consumer advice online.